cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into v2-releases

Browse source
This commit is contained in:
Tim Möhlmann 2023-10-23 17:18:29 +03:00 committed by GitHub
commit cc59572cca
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 18 additions and 45 deletions
Download patch file Download diff file Expand all files Collapse all files

34
SECURITY.md
View file

@ -1,6 +1,6 @@
# Security Policy
At ZITADEL we are extremely grateful for security aware people that disclose vulnerabilities to us and the open source community. All reports will be investigated by our team.
Please refer to the security policy [on zitadel/zitadel](https://github.com/zitadel/zitadel/blob/main/SECURITY.md) which is applicable for all open source repositories of our organization.
## Supported Versions
@ -12,39 +12,9 @@ We currently support the following version of the OIDC framework:
| <2.11 | :x: | | not maintained |
| 2.11.x | :lock: :warning: | [2.11.x][1] | security only, [community effort][2] |
| 3.x.x | :heavy_check_mark: | [main][3] | supported |
| 4.0.0-xx | :white_check_mark: | [next][4] | [development branch] |
| 4.0.0-xx | :white_check_mark: | [next][4] | [development branch] |
[1]: https://github.com/zitadel/oidc/tree/2.11.x
[2]: https://github.com/zitadel/oidc/discussions/458
[3]: https://github.com/zitadel/oidc/tree/main
[4]: https://github.com/zitadel/oidc/tree/next
## Reporting a vulnerability
To file a incident, please disclose by email to security@zitadel.com with the security details.
At the moment GPG encryption is no yet supported, however you may sign your message at will.
### When should I report a vulnerability
* You think you discovered a ...
* ... potential security vulnerability in the SDK
* ... vulnerability in another project that this SDK bases on
* For projects with their own vulnerability reporting and disclosure process, please report it directly there
### When should I NOT report a vulnerability
* You need help applying security related updates
* Your issue is not security related
## Security Vulnerability Response
TBD
## Public Disclosure
All accepted and mitigated vulnerabilities will be published on the [Github Security Page](https://github.com/zitadel/oidc/security/advisories)
### Timing
We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknown nature of the disclosures the time frame can range from 7 to 90 days.

2
example/client/api/api.go
View file

@ -10,7 +10,7 @@ import (
"strings"
"time"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/sirupsen/logrus"
"github.com/zitadel/oidc/v3/pkg/client/rs"

2
example/server/dynamic/login.go
View file

@ -6,7 +6,7 @@ import (
"html/template"
"net/http"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/zitadel/oidc/v3/pkg/op"
)

2
example/server/dynamic/op.go
View file

@ -7,7 +7,7 @@ import (
"log"
"net/http"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"golang.org/x/text/language"
"github.com/zitadel/oidc/v3/example/server/storage"

2
example/server/exampleop/device.go
View file

@ -8,7 +8,7 @@ import (
"net/http"
"net/url"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/gorilla/securecookie"
"github.com/sirupsen/logrus"
"github.com/zitadel/oidc/v3/pkg/op"

2
example/server/exampleop/login.go
View file

@ -5,7 +5,7 @@ import (
"fmt"
"net/http"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/zitadel/oidc/v3/pkg/op"
)

2
example/server/exampleop/op.go
View file

@ -7,7 +7,7 @@ import (
"sync/atomic"
"time"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/zitadel/logging"
"golang.org/x/exp/slog"
"golang.org/x/text/language"

2
go.mod
View file

@ -3,7 +3,7 @@ module github.com/zitadel/oidc/v3
go 1.19
require (
github.com/go-chi/chi v1.5.4
github.com/go-chi/chi/v5 v5.0.10
github.com/go-jose/go-jose/v3 v3.0.0
github.com/golang/mock v1.6.0
github.com/google/go-github/v31 v31.0.0

4
go.sum
View file

@ -1,8 +1,8 @@
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/go-chi/chi v1.5.4 h1:QHdzF2szwjqVV4wmByUnTcsbIg7UGaQ0tPF2t5GcAIs=
github.com/go-chi/chi v1.5.4/go.mod h1:uaf8YgoFazUOkPBG7fxPftUylNumIev9awIWOENIuEg=
github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=

2
pkg/op/op.go
View file

@ -6,7 +6,7 @@ import (
"net/http"
"time"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
jose "github.com/go-jose/go-jose/v3"
"github.com/rs/cors"
"github.com/zitadel/schema"

2
pkg/op/server_http.go
View file

@ -5,7 +5,7 @@ import (
"net/http"
"net/url"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/rs/cors"
"github.com/zitadel/logging"
httphelper "github.com/zitadel/oidc/v3/pkg/http"

2
pkg/op/server_legacy.go
View file

@ -6,7 +6,7 @@ import (
"net/http"
"time"
"github.com/go-chi/chi"
"github.com/go-chi/chi/v5"
"github.com/zitadel/oidc/v3/pkg/oidc"
)

5
pkg/op/token.go
View file

@ -51,7 +51,10 @@ func CreateTokenResponse(ctx context.Context, request IDTokenRequest, client Cli
if err != nil {
return nil, err
}
state = authRequest.GetState()
// only implicit flow requires state to be returned.
if code == "" {
state = authRequest.GetState()
}
}
exp := uint64(validity.Seconds())